Top five data security travel issues: Protect sensitive information on business trips

Overseas travel is part and parcel of modern business life, but with data security hazards including the loss or theft of equipment, spyware on PCs in hotels and airports, data theft through WiFi and border or customs officials, (particularly in countries prone to corruption or with illiberal authorities), what do IT security professionals need to consider when developing appropriate policies?

Overseas travel is part and parcel of modern business life, but with data security hazards including the loss or theft of equipment, spyware on PCs in hotels and airports, data theft through WiFi and border or customs officials, (particularly in countries prone to corruption or with illiberal authorities), what do IT security professionals need to consider when developing appropriate policies? Jim Mortleman investigates:

Download this free guide

The importance of web security

Join us as we take a look at the different approaches you can take in order to bolster your web security. We find out how to identify and address overlooked web security vulnerabilities, how security controls affect web security assessment results and why web opportunities must be met with appropriate security controls.

Amrit Williams, CTO at security management provider BigFix, agrees the problem is universal. "All countries present a high risk for carrying IT equipment, especially equipment storing confidential data. Obviously those with lax security or law enforcement, limited intellectual property laws, a history of criminal activity, unfriendly or antagonistic feelings towards the traveller's country of origin, military hotspots or heightened criminal or terrorist activity present increased risk for data loss."

Airports present particular risks

But while it may not be useful to single out particular countries, it is worth noting airports everywhere are renowned hotspots for theft and pick-pocketing. Neil O'Connor, principal consultant at independent security consultancy Activity IM, says travelling staff need to be aware of the need to keep their valuables in sight at all times. "That's not always easy, particularly when you are being frisked at security. I have certainly had an exchange of views with an airport security person in the UK when I was unwilling to come forward to be searched until my bag containing my laptop was through the scanner. And don't put your laptop in hold baggage. An acquaintance of mine was forced to do this by officious check-in staff - and, no surprise, it did not appear at the other end."

Airports can present other problems for those travelling with IT kit. Nick Lowe, regional director of Northern Europe for Check Point, says one of the riskiest countries to enter with a computing device is the USA. "In summer 2008, the US Department of Homeland Security confirmed what some travellers already knew: border agents are allowed to search through files on laptops, Blackberries, smart phones or any other digital device when you enter the country, even when there is no reasonable cause," says Lowe. "Officials can keep data or the entire computer, copy what they want and share this data with other agencies - and can force you to give the password if the data is encrypted. Of course, if the data is not suspicious, guidelines say the copied data should be destroyed - but after what time interval? And how securely will it be stored while it's being assessed?"

Twin hazards of ideology and corruption

Steve Subar, CEO of mobile virtualisation company OK Labs, says border crossings present two main challenges for corporate travellers carrying IT kit. The first arises in countries where importers face high duties (for example India and Brazil), and employees may have to pay if they can't prove equipment is not being imported. The second, more acute, challenge comes when travelling to countries with authoritarian regimes: "Some governments attempt to control access to the Internet and international media and view travellers' mobile devices as leaks in the ideological dikes they would erect around themselves," he says.

Corrupt officials can also present problems. For instance, one IT professional who did not want to be identified said: "When I landed in Russia for a flight connection to China, I had to pay a 'tax' to take my laptop onto the connecting flight. I knew there was no tax, but had no option but to pay and of course I wasn't given a receipt. My boss told me to put it down on expenses as 'airport assistance'."

Practical measures to protect your data

The bottom line is when travelling anywhere there is an increased danger of equipment and data being stolen, inspected or impounded. While users should certainly be aware of the dangers and what to do in the event of any problems, this should be combined with strict procedures for data transportation, storage and access, supported by appropriate technologies.

Paul Gershlick, a principal at law firm Matthew Arnold & Baldwin, says: "It's best to allow no, or minimal, sensitive data on the device. If data does need to be physically carried, such as for a presentation, secure encryption should be used. However, far better to allow remote access through very secure means such as SSL VPN, coupled with RSA key fobs, so data never resides on the portable device but access is controlled. Remote access sessions should also require complex passwords to log in and inactive sessions should be timed out."

Other technological safeguards include tagging or alarming equipment, multi-factor access authentication, remote data deletion technologies and secure online storage solutions. But Activity IM's Connor cautions that no solutions will work everywhere, so policies will need to be flexible enough to allow for different circumstances. Neither online storage nor encryption are foolproof, for instance. "In practice, in the Europe Economic Area, the use of encryption for commercial use seems to be accepted, but that isn't necessarily the actual legal position. What would you do if a customs officer demands that you decrypt your laptop to look at the contents?" he says.

"Similar considerations arise from the use of VPNs, which use encryption to protect the traffic back to your office in the UK. I would be very surprised if intelligence services, even in friendly countries, didn't note IP traffic going from their networks back to the UK. If they take an interest they might try to intercept the unencrypted traffic. As regards using the cloud, this is okay but all the usual caveats apply. You are relying on a third party to protect your data. There is a lot of data in an accessible place, so it is an obvious target for hackers."

Case study: The UN globetrotter

Stuart Barton, senior field engineer at Hughes Network Systems, travelled to more than 50 countries between 2005-2007, installing satellite data systems for the United Nations. He says that, although many tools and some solar panels were stolen in transit, the only problems he had with IT kit was at security and customs. "The biggest pain was Israel. They made me switch my laptop on, then kept me there ages while they checked through the contents of my e-mails and documents."

He also says business travellers need to be wary of officials demanding fees. "In Armenia, they tried to charge me tax to take my laptop out of the country. I knew they were trying it on. But when I said I'd brought it into the country, I had to prove it by firing it up and showing them pictures I'd taken in various other countries."

Fortunately, data security was not an issue. "I only had personal data on my laptop. Because we were contracted by the UN, they insisted all data was transported by their own personnel, who all had diplomatic passports."

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy